On Fri, 22 Aug 2003 09:19:24 +1200, Bojan Zdrnja [EMAIL PROTECTED] said:
You'll also see that IP changes with time, what is obvious as they
probably have a server farm.
Actually, they have a number of server farms (at least 6 that I know of), and they
average 15,000 really cheap rack mount
On Thu, 21 Aug 2003 23:22:54 BST, Peter Ellison [EMAIL PROTECTED] said:
Hello List.
I downloaded the patch via Windoze update for Exploder 6 this Morning. No
problems with that 2 Min max. Took the shut down option, system reboots all
OK. Point Browser @ my ISPs home page to check the
Emailed government email again again again. Problem stays after much time
passed. So Here.
go to FTP.NPS.GOV logon as anonymous
want to escalate privileges?
download ~readme.now.txt
read file and you find a much better user name and password
log back in and you can upload whatever~~~
be nice.
Option 1: scrap it
--Ben
On August 21, 11:43 am Chris Cappuccio [EMAIL PROTECTED] wrote:
Hey folks,
ALL LIST MEMBERS ARE ENCOURAGED TO RESPOND AND MAKE A CHOICE AS TO HOW
THEY WANT THIS BASIC FUNCTION OF THE LIST TO CONTINUE OPERATING.
The subject header is going to change.
This is a
- Original Message -
From: Marc Maiffret
To: Full-Disclosure
Sent: Friday, August 22, 2003 4:56 AM
Subject: [Full-Disclosure] EEYE: Internet Explorer Object Data Remote Execution
Vulnerability
The first time I sent this email it included example HTML code. That HTML
code
Why are you telling us this? How does it affect anyone, but qwest, who you
notified, and who fixed it. Do we now send out a security advisory every
time we notify sometime to disable a vulnerable service (sir, you have
telnet enabled). This is getting ridiculous.
Kurt Seifried, [EMAIL PROTECTED]
Scrap it.
- Az
-Opprinnelig melding-
Fra: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] På vegne av Ben Nelson
Sendt: 22. august 2003 07:09
Til: Chris Cappuccio
Kopi: [EMAIL PROTECTED]
Emne: Re: [Full-Disclosure] Subject prefix changing! READ THIS! SURVEY!!
Option 1: scrap it
--Ben
On
/etc/iscan is not spamassassin related. It's the trendmicro antivirus
gateway main directory.
morning_wood wrote:
funny things... SpamAssassin results
1. spoof
80.179.152.112.forward.012.net.il (80.179.152.112)
Whois:
80.179.152.0 - 80.179.171.255
Please Send Abuse/SPAM complaints
To [EMAIL
I vote for number 1.
... or as second choice, number 2.
My vote is for number two, to shorten to HD or to have nothing at all...
Are two votes allowed???
Jonathan
-Original Message-
From: Chris Cappuccio [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 21, 2003 11:43 AM
To:
Drew Copley wrote:
Why is the state of Germany trojanizing applications which may be run by
anyone on the planet?
because this application was used to commit a bad crime - child pornography.
How is it they believe they have a right to trojanize someone outside of
Germany?
They don't. They care
I haven't had any problem issuing security advisories. What is this in
reference to?
DMCA
Pointing the finger elsewhere does not excuse the fact that the German
State has trojanized a popular application which was open to the world
to download. And, indeed, the world did download.
Here
OK, seems to be discussed, so briefly...
Go for #2 if you change, the [fd] should not hurt those whishing short subjects
(except, maybe, emotionally) and keeps it simple for the others...
Scrap it.
Rainer
___
Full-Disclosure - We believe in it.
SECURITY ADVISORY
IMPACT: DoS
SEVERITY: High
VENDOR: http://www.Wap-Serv.com
CONTACT: [EMAIL PROTECTED] , +44 (0)1628 634240
PRODUCT: http://www.wap-serv.com/product.htm
WapServ Lite, WapServ Pro, WapServ Enterprise
DISTRIBUTION: ALREADY NOTIFIED PUBLIC DOMAIN AND VENDOR SIMULTANEOUSLY
Nick FitzGerald will probably have the last word on this after the
debilitating blow delivered thus by his over-achieving intellect:
Ah, but Nick, I *DO* have omniscient access to the non-mythical IP-to-user
mapping list -- and so do you. ...
No, we don't.
It then can post from that machine
Sorten it for leave it as it is.
I just makes it easier to scan trhough my mail in mutt or pine and decide
which ones to read
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
I vote for 1, EVERYONE has mail software that can filter on other
headers(stop being lazy people just setup a rule).
-Original Message-
From: Chris Cappuccio [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 21, 2003 11:43 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Subject
ALL LIST MEMBERS ARE ENCOURAGED TO RESPOND AND MAKE A CHOICE
AS TO HOW THEY WANT THIS BASIC FUNCTION OF THE LIST TO
CONTINUE OPERATING.
[FD] would be fine.
If it has to be short for those who use text based MUA, at least leave
this short one. It should not be such a deal to pass from extra
Title: RE: [Full-Disclosure] Subject prefix changing! READ THIS! SURVEY!!
- 3
- or 2 if that suits more people
Serge
-Original Message-
From: Chris Cappuccio [mailto:[EMAIL PROTECTED]]
Sent: donderdag 21 augustus 2003 19:43
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi list,
ALL LIST MEMBERS ARE ENCOURAGED TO RESPOND AND MAKE A CHOICE AS TO
HOW THEY WANT THIS BASIC FUNCTION OF THE LIST TO CONTINUE
OPERATING.
The subject header is going to change.
This is a survey to see whether people want:
1. To have
my vote is for #2
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
also sprach Mads Tans? [EMAIL PROTECTED] [2003.08.22.0858 +0200]:
Scrap it.
i agree, scrap it! everyone who likes it can procmail/formail it
back in.
--
martin; (greetings from the heart of the sun.)
\ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED]
invalid/expired pgp
Drew Copley [EMAIL PROTECTED] writes:
[...]
Drew, you simply don`t understand the basics.
A German cop has no jurisdiction over me. He has no jurisdiction over
anyone outside of Germany.
Did he force you to use the software? Not. Uhh...
The idea of Open Source is that *you* can check, what
On Fri, 22 Aug 2003, [EMAIL PROTECTED] wrote:
Drew Copley wrote:
Why is the state of Germany trojanizing applications which may be run by
anyone on the planet?
because this application was used to commit a bad crime - child pornography.
And what's next? Kazaa? IRC? (lord knows IRC can
3. Do nothing
If it 'aint broke, don't fix it. My vote is #3.
The first time I heard about BugTraq it wasn't explained to me in terms of
infosec and my reaction was that's the stupidest idea for a mailing list I've
ever heard, a bunch of people whining about software bugs in programs they
don't
SECURITY ADVISORY
IMPACT: DoS
SEVERITY: High
VENDOR: http://www.Wap-Serv.com
CONTACT: [EMAIL PROTECTED] , +44 (0)1628 634240
PRODUCT: http://www.wap-serv.com/product.htm
WapServ Lite, WapServ Pro, WapServ Enterprise
DISTRIBUTION: ALREADY NOTIFIED PUBLIC DOMAIN AND VENDOR SIMULTANEOUSLY
On Fri, Aug 22, 2003 at 01:46:23AM +0200, Florian Weimer wrote:
| Adrian Nutz [EMAIL PROTECTED] writes:
| There should be mixes in many different countries, if possible most of
| them shouldn't have any kind of treaties that allow a fast reaction from
| the police in this countries if some
Drew Copley [EMAIL PROTECTED] writes:
Why is the U.S. government interfering with the publication
of security advisories if the corresponding software is being
run throughout the world?
I haven't had any problem issuing security advisories. What is this in
reference to?
The Windows
1 please
the list would look better and allowing no caps would be good too
thanks
On Fri, 22 Aug 2003 13:18:28 +0200 (MEST), [EMAIL PROTECTED] said:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi list,
ALL LIST MEMBERS ARE ENCOURAGED TO RESPOND AND MAKE A CHOICE AS TO
HOW THEY
[EMAIL PROTECTED] wrote:
1. NO
2. OK++
3. OK
goes for me too.
This email and any attachments are strictly confidential and are intended
solely for the addressee. If you are not the intended recipient you must
not disclose, forward, copy or take any action in reliance on this message
or its
Azerail wrote:
Why is the state of Germany trojanizing applications which may be run by
anyone on the planet?
because this application was used to commit a bad crime - child pornography.
And what's next? Kazaa? IRC? (lord knows IRC can be used to
This 10.7.0.73 is google private ip address.
Wow! Scary!
Message also signed, so we can trust that valuable info!
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
#3. Easy to filter. Nobody uses 40 character text terminals these days.
-Original Message-
From: Chris Cappuccio [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 21, 2003 3:21 PM
To: John Cartwright
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Subject prefix changing! READ THIS!
I, for one, don't care what happens to the subject line as long as I can
still filter based on other things. I use this recipe to remove the prefix,
so I never see the thing. I care so little I wouldn't have bothered posting
if I didn't think this recipe would save someone a bit of aggrivation.
Option 1, please.
--
Edward S. Marshall [EMAIL PROTECTED]
http://esm.logic.net/
Felix qui potuit rerum cognoscere causas.
-Original Message-
From: Chris Cappuccio [mailto:[EMAIL PROTECTED]
Sent: donderdag 21 augustus 2003 19:43
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure]
Thus spake Daniele Muscetta ([EMAIL PROTECTED]) [22/08/03 10:59]:
ALL LIST MEMBERS ARE ENCOURAGED TO RESPOND AND MAKE A CHOICE
AS TO HOW THEY WANT THIS BASIC FUNCTION OF THE LIST TO
CONTINUE OPERATING.
[FD] would be fine.
If it has to be short for those who use text based MUA, at
Option 1, please.
Gosh, that'll mean I have to configure my mail preferences again then :-)
Cheers,
--
Ricky Blaikie - Sales Director - Server City Ltd
TEL: 0871 2601000 : FAX: 0871 2601001 : http://www.servercity.co.uk
Visit our website for latest offers and pricing or e-mail me.
A honeypot maybe?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glen Freeman
Sent: Thursday, August 21, 2003 9:50 PM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] US Governement War3z Server?
Emailed government email again again again. Problem
[FD] would be OK. 'Else I'll have to unsubscribe this address and pick up the list with a different email client.
MSN 8: Get 6 months for $9.95/month.
___
Full-Disclosure - We believe in it.
Charter:
There is no exponential term in MIX traffic. That means that if you
try to ensure that all traffic leaves the network quickly (so you can
say, web browse), then your attacker only needs to analyze traffic
over a few seconds, and that's easy.
Simple attacks work really well on real time mix
On Fri, Aug 22, 2003 at 10:28:15AM -0400, [EMAIL PROTECTED] wrote:
#3. Easy to filter. Nobody uses 40 character text terminals these days.
No, I use an 80-column text terminal, and with the display of other
useful information on a single line (message number, status, author,
maybe date),
definately NOT!! honey pots normally apear like a normal secure machine NOT
one that gives the information out for free what information do thewy stand
to get from that? ow look there are some warez filz!! mi thinks not.
-Original Message-
From: Kamal N Habayeb [mailto:[EMAIL PROTECTED]
I show 10.5.0.74 (Im sure they have more than one
server)
-Original Message-
From: Gaurav Kumar
[mailto:[EMAIL PROTECTED]
Sent: Thursday, August 21, 2003 2:11 PM
To:
[EMAIL PROTECTED]
Subject: [Full-Disclosure] Google
Private IP is 10.7.0.73 !!
-BEGIN PGP SIGNED
#3 or #2 in that order.
I get between two and five hundred messages a day. I want something quick in
that line to tell me whom or from what list this message is from.
Self-defining headers are a top choice.
cdv
___
Full-Disclosure - We believe in it.
Kurt Seifried wrote:
Why are you telling us this? How does it affect anyone, but qwest, who you
notified, and who fixed it. Do we now send out a security advisory every
time we notify sometime to disable a vulnerable service (sir, you have
telnet enabled). This is getting ridiculous.
Couple of
I do ;-p mutt is the best mail client out there, and you know it!
* [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
#3. Easy to filter. Nobody uses 40 character text terminals these days.
-Original Message-
From: Chris Cappuccio [mailto:[EMAIL PROTECTED]
Sent: Thursday, August 21,
Can we make it [FUD] instead? =)
-Nik
On Friday, August 22, 2003, at 10:45 AM, barry jaffe wrote:
[FD] would be OK. 'Else I'll have to unsubscribe this address and
pick up the list with a different email client.
___
Full-Disclosure - We believe in
IIRC Level 3 also uses looking glass...
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Shane MacDougall
Lead Security Officer
ID Analytics
San Diego, California USA
Direct: (858) 427-2860
Toll Free: 866-240-4484 x 2860
Fax: 858-427-2899
-Original Message-
From: Blue Boar
Yeah Im a top poster deal with
it
While people are piling on Gaurav, we should consider that the issue here is that an
attacker could map out Googles internal
network.
Not earth shattering but not a completely
useless finding.
On Fri, Aug 22, 2003 at 11:15:07AM -0400, Damian Gerow wrote:
Thus spake Daniele Muscetta ([EMAIL PROTECTED]) [22/08/03 10:59]:
ALL LIST MEMBERS ARE ENCOURAGED TO RESPOND AND MAKE A CHOICE
AS TO HOW THEY WANT THIS BASIC FUNCTION OF THE LIST TO
CONTINUE OPERATING.
[FD] would be
I informed the National Park Service per phone
(it was hard to get through)
and i had a nice converence with the admins.
So NPS is informed and ´ll take action right now so this ftp compromise will
be stopped.
For the Sobig.F worm - the IP Adresses for the malicious code download are
decrypted:
So its 4 days after the virus was found, and they just
discover that its got a list of 20 machines that it will pull from to create a
massive DDoS across the net? What took them so long to find it?
Taken from f-secure web site
"A potentially massive Internet
attack starts today
F-Secure Corporation is warning about a new
level of attack to be unleashed by the Sobig.F worm
today.
Helsinki, Finland - August 22, 2003
Windows e-mail worm Sobig.F,
which is currently the most
Robert Ahnemann [EMAIL PROTECTED] writes:
So its 4 days after the virus was found, and they just discover that its
got a list of 20 machines that it will pull from to create a massive
DDoS across the net? What took them so long to find it?
The AV vendors deliberately held back this
I dunno. I am partial to Ximian Revolution myself.
On Fri, 2003-08-22 at 12:34, Gabe Arnold wrote:
I do ;-p mutt is the best mail client out there, and you know it!
* [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
#3. Easy to filter. Nobody uses 40 character text terminals these days.
Sigh. Shouldn't NAV be programmed to not send out these kinds of
messages for worms like Sobig which are *known* to use forged return
addresses?
Richard
-Original Message-
From: NAV for Microsoft Exchange-STEW-MAIL-01
[mailto:[EMAIL PROTECTED]
Sent: Friday, August 22, 2003 3:18 PM
To:
=== CFP -- Call For Papers for G-Con 2 -- CFP ===
[ + ] General Information:
Kelsi Siler / G-Con Security is proud to invite you participate in G-Con 2:
Nothing is safe.
This con will have workshops and conferences. The main focus is security in
general, and the techniques used to break current
Robert Ahnemann wrote:
So its 4 days after the virus was found, and they just discover that
its got a list of 20 machines that it will pull from to create a
massive DDoS across the net? What took them so long to find it?
The list was encrypted.
___
Drew Copley [EMAIL PROTECTED] writes:
If the US forces developers to trojanize their applications,
Like everywhere else, ISPs are forced to install wiretapping
equipment, which is basically the same.
___
Full-Disclosure - We believe in it.
Charter:
I informed the National Park Service per phone
(it was hard to get through)
and i had a nice converence with the admins.
So NPS is informed and they ´ll take action right now so this ftp compromise
will
be stopped.
New Infos about Sobig.F worm - the IP Adresses for the malicious trojan (or
Sorry for the repeated post
seems to be the Internet slowdown caused by Sobig.F
- got a message at the mailserver that the mail was rejected.
I noticed that Spam is going up at the mailserver right now so it seems to
be Sobig might be a Spam delivering bot.
Helmut Hauser
Systemadministrator
Anyone able to verify this with another site (eeye, any other
antivirus firm)?
Jonathan
-Original Message-
From: Steve Postma
[mailto:[EMAIL PROTECTED]
Sent: Friday, August
22, 2003 12:28 PM
To: '[EMAIL PROTECTED]'
Subject: [Full-Disclosure] Sobig
has a surprise...
Richard M. Smith [EMAIL PROTECTED] writes:
I agree with Microsoft's recommendation for a hardware firewall on all
home PCs.
There is no thing such as a hardware firewall.
Typical SoHo routers have a much more defective TCP/IP stack than
Windows. Most end users (who can't configure their
Steve Postma [EMAIL PROTECTED] cites:
However, the Sobig.F worm has a surprise attack in its sleeve.
From the web site:
| As soon as we were able to crack the encryption used by the worm to
| hide the list of the 20 machines, we've been trying to close them
| down, explains Mikko Hypponen.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Rainer Gerhards
Sent: Friday, August 22, 2003 12:53 AM
To: Drew Copley; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] JAP
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Rainer Gerhards
Sent: Friday, August 22, 2003 12:33 AM
To: Drew Copley; [EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] JAP back doored
Why
As many of you know, the latest Sobig.F virus was scheduled to begin
downloading unknown code from various IPs at 3:00 EST today on UDP port
8998. Does anybody have any idea what this code is? Are the infected boxes
actually downloading code? Does anybody have an infected Windoze box with
Sobig
Title: Message
OK. Just so everyone knows, I vote for
number 17.
Theregot it off my
chest.
Now back to your regular
programming..
Paul Schmehl ([EMAIL PROTECTED])Adjunct Information
Security OfficerThe University of Texas at DallasAVIEN Founding
Drew,
This issue simply can not be defended. There is no way to defend this action of the
German police. We can move the topic to other things, but ultimately, this action
can not be defended.
He, he You pretty much sound like running out of arguments.
You know the difference between
interesting..i have done nessus scans myself against my own router and
not found any thing to worry about in terms of incoming holes..outgoing
of course is of course another matter..G
Florian Weimer wrote:
Richard M. Smith [EMAIL PROTECTED] writes:
I agree with Microsoft's recommendation for
Why don't they publish the list of IP addresses so that people can put
filters on their networks?
rumor has it:
12.158.102.205
12.232.104.221
24.197.143.132
24.202.91.43
24.206.75.137
24.210.182.156
24.33.66.38
61.38.187.59
63.250.82.87
65.177.240.194
65.92.186.145
65.92.80.218
65.93.81.59
http://207.195.54.37/sobig.html a page that shows the status of those ips.
Taken from Dshield mailing list.
Andre Ludwig, CISSP
-Original Message-
From: Michael Scheidell [mailto:[EMAIL PROTECTED]
Sent: Friday, August 22, 2003 2:15 PM
To: Florian Weimer
Cc: Steve Postma; '[EMAIL
Yeah so if it went moderated, it could
stand for 'Full Un-Disclosure'
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Nik Reiman
Sent: Saturday, 23 August 2003 4:12 a.m.
To: barry jaffe
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] [FD]
Anyone able to verify this with another site (eeye, any other antivirus
firm)?
We just talked to one of the targets.. the FBI has also contacted them,
so.. the FBI believes it.
ps, with one exception (a power company) all of the other 19 hosts
targeted by the DOS are cable or dialup's.
-
No echo replies from any of these IPs from the Charter Network.
Rich Compton
-Original Message-
From: Michael Scheidell [mailto:[EMAIL PROTECTED]
Sent: Friday, August 22, 2003 4:15 PM
To: Florian Weimer
Cc: Steve Postma; '[EMAIL PROTECTED]'
Subject: Re: [Full-Disclosure] Sobig has a
For the instant gratification newshounds
in us all
http://www.sophos.com/virusinfo/articles/sobigtimeline.html
Jamie L Thompson
IT Specialist
781.860.2438
781.860.2875 fax
781.953.5263 cell
[EMAIL PROTECTED]
Um, haven't all but one or two of the download servers been taken down?
Don't you think the remainders would have been black-holed by now?
http://www.internettrafficreport.com/main.htm shows traffic normal.
http://isc.incidents.org/ shows nothing that exciting.
Hi, recently i was call for make a security test. when i was there someone
that call him self admin was making an redhat 9 install in a pc with 2
hard
drivers.
he had to install in disk one, and when was asking for delete partition,
he
deleted all the partitions in the 2 disc, but after only
Drew Copley [EMAIL PROTECTED] writes:
Like everywhere else, ISPs are forced to install wiretapping
equipment, which is basically the same.
In the US, criminals - not citizens - may be wiretapped at the ISP
level.
Criminals are citizens too. When the wiretapping takes place, they
are just
LURK MODE OFF
FD would be my vote.
LURK MODE ON
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
All the experts were totally faked out. While everyone was concentrating
on getting the magic 20 machines shut down, no one realized that
different copies of Sobig.f had different lists of servers to contact.
We put a block of udp port 8998 on our firewall this morning. We had 3
previously
[fd] For me. (option 2 isn't it?)
Andre Ludwig, CISSP
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
What if someone cranks a clock forward and sees what the program does?
Not having any windows systems at all, I'm in a poor position to try
this. :)
On Fri, 2003-08-22 at 13:33, Compton, Rich wrote:
As many of you know, the latest Sobig.F virus was scheduled to begin
downloading unknown code
yeah
http://science.nature.nps.gov/im/apps/npspp/index.htm
this is a pretty cool project, hate to see it
damaged b/c of such a silly policy.
-shag
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Friday, August 22, 2003 12:04 PM
To:
On Fri, Aug 22, 2003 at 06:28:26PM +0200, Rainer Gerhards wrote:
| There is no exponential term in MIX traffic. That means that if you
| try to ensure that all traffic leaves the network quickly (so you can
| say, web browse), then your attacker only needs to analyze traffic
| over a few
AOL
[FD] would be my vote.
/AOL
--
Best regards,
CanonBallmailto: [EMAIL PROTECTED]
Error F02A: Keyboard not attached. Press F1 to continue.
___
Full-Disclosure - We believe in it.
Charter:
Good work... diligence paid off.
On Fri, 2003-08-22 at 13:59, Helmut Hauser wrote:
I informed the National Park Service per phone
(it was hard to get through)
and i had a nice converence with the admins.
So NPS is informed and ll take action right now so this ftp compromise will
be stopped.
Robert Ahnemann [EMAIL PROTECTED] wrote:
So its 4 days after the virus was found, and they just discover that its
got a list of 20 machines that it will pull from to create a massive
DDoS across the net? What took them so long to find it?
No.
Reading the more detailed descriptions posted by
On Fri, Aug 22, 2003 at 05:27:05PM -0400, William Warren wrote:
interesting..i have done nessus scans myself against my own router and
not found any thing to worry about in terms of incoming holes..outgoing
of course is of course another matter..G
Maybe your Router operates in bridgemode so
If you don't already have it by now, here are the addresses:
http://vil.nai.com/vil/content/v_100561.htm
-Original Message-
From: Florian Weimer [mailto:[EMAIL PROTECTED]
Sent: Friday, August 22, 2003 2:20 PM
To: Steve Postma
Cc: '[EMAIL PROTECTED]'
Subject: Re: [Full-Disclosure] Sobig
- Original Message -
From: Elvedin
To: [EMAIL PROTECTED]
Sent: Friday, August 22, 2003 9:29 AM
Subject: Re: [Full-Disclosure] Idea
Well, if all shells are removed and roots and other users shell is changed
to /bin/false, you wont be able to install another shell. How would you
In playing with the eEye-SP.pl I ran into a little snag when connecting.
[Server accepting clients]
Can't call method name on an undefined value at ./eEye-SP.pl.1 line
47.
To fix this.. edit line 47 from this:
printf incoming...%s\n,$hostinfo-name || $client-peeraddr;
To this:
printf
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-Original Message-
From: Florian Weimer [mailto:[EMAIL PROTECTED]
Sent: Friday, August 22, 2003 12:35 PM
To: Drew Copley
Cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] JAP back doored
Drew Copley [EMAIL PROTECTED] writes:
Have the results been compiled yet? Where did the MSBLAST Nachi worm
originate? Anyone have any ideas?
Since the beginning, everyone has seen spot reports in this forum of who
is seeing things and who isn't...but so far I haven't been able to nail
down any originating areas from all the
After reviewing the actual firewall logs I find my initial report was not entirely
correct. There were two variants, not three, and the second variant contacted a list
of 5 hosts, none of which were on the big list of 20 hosts.
The second list of five addresses (all seem to be on cable or dsl
All the experts were totally faked out. While everyone was
concentrating on getting the magic 20 machines shut down,
no one realized that different copies of Sobig.f had
different lists of servers to contact.
We put a block of udp port 8998 on our firewall this morning.
We had 3
I believe it makes use of ntp for the date sensitive stuff...
-KF
Dan Stromberg wrote:
What if someone cranks a clock forward and sees what the program does?
Not having any windows systems at all, I'm in a poor position to try
this. :)
On Fri, 2003-08-22 at 13:33, Compton, Rich wrote:
As
--On Friday, August 22, 2003 1:27 PM -0600 Jonathan Grotegut
[EMAIL PROTECTED] wrote:
Anyone able to verify this with another site (eeye, any other antivirus
firm)?
I can verify this. I wrote a snort rule that looks for outgoing packets to
8998/UDP and I saw machines hitting 20 unique IPs on
On Fri, 22 Aug 2003, [EMAIL PROTECTED] wrote:
Azerail wrote:
Why is the state of Germany trojanizing applications which may be run by
anyone on the planet?
because this application was used to commit a bad crime - child
pornography.
And what's next? Kazaa? IRC?
Compton, Rich [EMAIL PROTECTED] wrote:
As many of you know, the latest Sobig.F virus was scheduled to begin
downloading unknown code from various IPs at 3:00 EST today on UDP port
8998. ...
Not quite.
The target machines supply a URL (that is encoded with Sobig's string
encoding routine)
On Sat, Aug 23, 2003 at 10:45:56AM +1000, gregh wrote:
See attached text file.
As many of you are, so am I being pinged quite a lot. So, I checked out a few of the
pings and I am getting this same thing each time.
Is this an effect of Sobig? I hadn't noticed anything quite like this
1 - 100 of 106 matches
Mail list logo